[原文]vmware-config.pl in VMware for Linux, ESX Server 2.x, and Infrastructure 3 does not check the return code from a Perl chmod function call, which might cause an SSL key file to be created with an unsafe umask that allows local users to read or modify the SSL key.

-
漏洞信息 (F48405)

The VMWare configuration program may not correctly set file permissions on generated SSL Key files that are used for encrypting traffic for remote administrative connections. Affected software includes VMware Player for Linux, VMware Workstation for Linux, VMware Server for Linux, VMware ESX Server 2.x, and VMware Infrastructure 3. ,

-
漏洞描述

VMware ESX Server, VMware GSX Server, VMware Player, VMware Server, and VMware Workstation utilize a flawed vmware-config.pl script that may lead to an unauthorized information disclosure. Under certain circumstances, the vmware-config.pl script may set weak file permissions on the SSL key used by VMware to encrypt console and management communications. If this key file is accessed by unauthorized users, it can be used to attack and decrypt the SSL communications of the affected VMware product, leading to a loss of confidentiality.
This issue is not valid for VMware products running under the Windows operating system.

-
时间线

公开日期:
2006-07-18

发现日期:
2006-06-01

利用日期:2006-07-18

解决日期:Unknow

-
解决方案

Upgrade to the latest VMware version (ESX 3.0.1, Server 1.0.3, Workstation 6.0), as it has been reported to fix this vulnerability. Additionally, the vendor has released a patch to address this issue, or users may opt to apply the following workaround:
Assuming VMware has been installed with the default paths, these two commands (executed as root), will set the proper file permissions on the SSL key files:
chmod 400 /etc/vmware/ssl/rui.key
chmod 444 /etc/vmware/ssl/rui.crt

-
漏洞讨论

VMware is prone to an information-disclosure vulnerability because the software sets insecure permissions on SSL key and certificate files.

If an attacker can gain access to SSL key files used to encrypt remote administrative connections, they can decrypt this traffic.

VMware Player for Linux, VMware Workstation for Linux, VMware Server for Linux, and VMware Infrastructure 3 are reported vulnerable.

-
漏洞利用

Attackers can exploit this issue using a Windows or UNIX command shell, along with readily available tools that monitor network traffic.

-
解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.commailto:vuldb@securityfocus.com.